Plenty of firmware safety flaws uncovered in HP’s business-oriented high-end notebooks proceed to be left unpatched in some gadgets even months after public disclosure.
Binarly, which first revealed particulars of the problems on the Black Hat USA convention in mid-August 2022, mentioned the vulnerabilities “cannot be detected by firmware integrity monitoring techniques resulting from limitations of the Trusted Platform Module (TPM) measurement.”
Firmware flaws can have severe implications as they are often abused by an adversary to realize long-term persistence on a tool in a fashion that may survive reboots and evade conventional working system-level safety protections.
The high-severity weaknesses recognized by Binarly have an effect on HP EliteBook gadgets and concern a case of reminiscence corruption within the System Administration Mode (SMM) of the firmware, thereby enabling the execution of arbitrary code with the best privileges –
- CVE-2022-23930 (CVSS rating: 8.2) – Stack-based buffer overflow
- CVE-2022-31640 (CVSS rating: 7.5) – Improper enter validation
- CVE-2022-31641 (CVSS rating: 7.5) – Improper enter validation
- CVE-2022-31644 (CVSS rating: 7.5) – Out-of-bounds write
- CVE-2022-31645 (CVSS rating: 8.2) – Out-of-bounds write
- CVE-2022-31646 (CVSS rating: 8.2) – Out-of-bounds write
Three of the bugs (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) had been notified to HP in July 2021, with the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646) reported in April 2022.
It is price noting that CVE-2022-23930 can also be one of many 16 safety flaws that had been beforehand flagged earlier this February as impacting a number of enterprise fashions from HP.
SMM, additionally referred to as “Ring -2,” is a special-purpose mode utilized by the firmware (i.e., UEFI) for dealing with system-wide features similar to energy administration, {hardware} interrupts, or different proprietary unique tools producer (OEM) designed code.
Shortcomings recognized within the SMM element can, due to this fact, act as a profitable assault vector for menace actors to carry out nefarious actions with greater privileges than that of the working system.
Though HP has launched updates to tackle the flaws in March and August, the seller has but to push the patches for all impacted fashions, probably exposing prospects to the chance of cyberattacks.
“In lots of instances firmware is a single level of failure between all of the layers of the availability chain and the endpoint buyer system,” Binarly mentioned, including, “fixing vulnerabilities for a single vendor shouldn’t be sufficient.”
“On account of the complexity of the firmware provide chain, there are gaps which can be troublesome to shut on the manufacturing finish because it entails points past the management of the system distributors.”
The disclosure additionally arrives because the PC maker final week rolled out fixes for a privilege escalation flaw (CVE-2022-38395, CVSS rating: 8.2) in its Help Assistant troubleshooting software program.
“It’s attainable for an attacker to use the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Efficiency Tune-up,” the corporate famous in an advisory.
